Headline
CVE-2023-29528: SXSS via source in text area
XWiki Commons are technical libraries common to several other top level XWiki projects. The “restricted” mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this “restricted” mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don’t start with >. There are no known workarounds apart from upgrading to a version including the fix.
**Type: ** Security
Resolution: Solved By
**Priority: ** Blocker
- Affects Version/s: 14.6-rc-1
Documentation in Release Notes:
N/A
SUBMISSION REFERENCES
- Submission code: XWIKI-PST6B4ZK
- Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-PST6B4ZK
RESEARCHER INFORMATION
- Submitter: ynoof
SUBMISSION INFORMATION
- Created at: Fri, 04 Nov 2022 14:36:49 GMT
- Submission status: Accepted
REPORT CONTENT
- Severity: High
- Domain: https://intigriti.xwiki.com/ (Url)
- Proof of concept: Hello,
Stored XSS at user profile via `about` text area.
- Steps to reproduce
1. Go to user profile
2. Add the following payload in the `about` text area.
- Steps to reproduce
```
html
'"<!–><Details Open OnToggle=confirm(“Ynoof/Was/Here”)>
/html
```
Click on source before saving.
- POC {186066}
Thanks,
Ynoof
- Impact: An attacker can execute any js code on the victim’s browser.
- Personal data involved: No
- Endpoint: https://intigriti.xwiki.com/xwiki/bin/view/XWiki/ynsec3
- Type: Stored Cross-Site Scripting
- Attachments: poc.png
186066_poc.png
70 kB
10/Nov/22 10:20
is caused by
XCOMMONS-2568 Restricted HTML filtering bypass (XSS) via HTML comments
- Closed
Related news
### Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode: ```html {{html}} <!--> <Details Open OnToggle=confirm("XSS")> {{/html}} ``` When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. Note that while all versions since 4.2-milestone-1 should be vulnerable, only starting with version 14.6-rc-1 the HTML comment is...